J.J. Thompson, CEO, Rook Security
1. Board expectation setting
IT security programs need to demonstrate that they understand the board's expectations that investments made in IT (and in small print - security), are right-sized, measurable, and able to be scaled at a moment's notice to address emerging threats or to decrease investments in lower priority activities.
In the last few years, Boards pushed a virtualization and cloud initiative to realize reduction in G&A expenses. With all of the publicity around security incidents, Boards are more concerned than ever before that the IT organization has the IT security operations capabilities in place to protect the company's data both on premise and in the cloud.
2. Measurable security outcomes
Not only does security need to be scalable and cost effective, but thanks to the marketing messaging behind virtualization and cloud capabilities it has led to the expectation from Boards that security resources can be increased or decreased at a moment’s notice through a virtual dial that is constantly being adjusted to achieve perfect harmony.
So, what's the biggest challenge? Communication of security value vs. the spend. What’s the next big challenge? Demonstrating that security can manage KPIs like the rest of the business, and increase (or decrease) spend according to business risk.
Success has been achieved when resources (people, time, and money) utilized to run security operations can be re-deployed at a moment’s notice based on risks, threats, and policy decisions that take place between budgeting cycles. The re-deployment is easily documented and visualized to show the outcome of the adjustments of your security resource "dial".